Valley

Target IP: 10.10.115.224

Can you find your way into the Valley?


Scanning

0d6390833fc787a5fa3697141c0cb7da.png
There are three TCP ports open on the target machine: SSH, HTTP, and FTP.


Enumeration

Port 80:HTTP
796c798f02b89b29ee035ceaa72cbe11.png
The webpage above is displayed for this application. There are two buttons on this page: View Gallery and View Pricing. Clicking on either button will redirect to another HTML page.

96d7c5ab7820f2945acf6bb8ca721609.png
While performing a directory search using feroxbuster with the command feroxbuster -u http://10.10.115.224/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,html,txt,py,php,sh -d 2, I found an interesting page, as shown above. There is another directory called /static/ which is empty.

af7d9ac1bdcdb16ecc876ddf32a64158.png
The note.txt contains the message above. There are two potential usernames: J and RP. The message mentions there are notes on the website. But performing a directory search did not point to anything.

db0f49a6ee640f99fb5d0c2c6a0f2110.png
However, performing a directory search on /static using the command gobuster dir -u http://10.10.115.224/static -w /usr/share/wordlists/dirb/big.txt shows the interesting result above. Judging by the size of the responses, the /00 could be a webpage and others are pictures.

89422250cfe9d9a86241dbc8d5a4b8db.png
And it is. The /00 contains the message above. The directory /dev1243224123123 sounds interesting.

f71f57a54fcfb5299ac5d546b040246f.png
The directory /dev1243224123123 contains the login webpage above. I sprayed default credentials, such as admin:admin, but it did not work. Viewing the source-code of this page shows critical information.

487ebb8b189322770563a375d886df19.png
The dev.js JavaScript file contains the hardcoded username and password for the login page.

9f8d07b51d0d5ae5191913f2f0a21d9e.png
I used the credentials from the JavaScript file to gain access to the login page. After logging in, the note above is displayed. The note mentions the reuse of same credentials. Maybe I can spray siemDev:california against FTP?

Port 37370: FTP
cec9daf7fe3d6266493fb39acdd3b0c3.png
I used the same credentials to gain access to the FTP application on the higher port. There are three Wireshark capture files. I downloaded all three on my local machine for inspection.

7ed7e6ce885e38a7ead2f66d86431a20.png
After performing forensics on the three Wireshark capture files, I found something interesting on the third file. This file contains the username and password.


Exploitation

bb48b6632aa15c9b544c6f9e174a1ddd.png
After spraying the credential I found in the Wireshark capture file against the SSH application, I gained a foothold on the target machine.


Privilege Escalation

cff2185b80eb9763e5b8b586eb5eae3d.png
There is a user I encountered earlier called siemdev. Using the credential california, I gained access as this user.

cbcb970a6de566d030ffeba4f82a8185.png
There is an interesting cronjob here.

62a1fdf27058adaffd1b4ee24f8742c2.png
I do not have write permission over this Python file. However, it does use the base64 module. Maybe I can perform library hijacking here.

2d5da4f640a0d6df94a13c99a63b6231.png
I transferred pspy64 to the target machine and ran it. It looks like the script does get run.

4c37ba19b3adc08808e49f0108a93405.png
I will need access to a user who is a group of valleyAdmin to change contents of the base64.py module.

001cbde31c6eda246a954310ac0d3fbb.png
From previous enumeration, I did find an interesting file called valleyAuthenticator. However, I was unable to perform forensics on it as the target machine does not have strings installed on it. I transferred this file to my machine using nc.

b7e735f2d81ab640baef75a402752592.png
Running strings on this file shows interesting MD5 numbers before the welcome message is displayed.

e8588b13c3c401a00418c7ae7d8914db.png
887edc8d22d9e5b47c9f27b2164bc8e8.png
Running the hashcode I obtained at crackstation outputs the password liberty123. And spraying this password against the user valley grants me access.

c54476e24d993e63199539be12821364.png
Now I can edit the base64.py module.

84146d2a72199c9c5384814fe9fb8ea1.png
I injected the Python reverse shell code inside the module (as shown above) and gained a root reverse shell connection on port 8443 on my local machine. GG.


Flags

de85a8b38240834539236626dc0a5082.png
The user.txt flag once I gained a foothold on the target machine.

2c00d5c39d514f76ba119b7a91f6cca4.png
The root.txt flag once I used Python library hijacking to perform PE to root.